shiro（6）分布式应用鉴权方式之Shiro整合SpringBoot下自定义SessionId shiro

Shiro 默认的sessionid生成类名 SessionIdGenerator
创建一个类，实现 SessionIdGenerator 接口的方法

public class RandomSessionIdGenerator implements SessionIdGenerator {private static final Logger log = LoggerFactory.getLogger(RandomSessionIdGenerator.class); private static final String RANDOM_NUM_GENERATOR_ALGORITHM_NAME = "SHA1PRNG"; private Random random; public RandomSessionIdGenerator() { try { this.random = java.security.SecureRandom.getInstance(RANDOM_NUM_GENERATOR_ALGORITHM_NAME); } catch (java.security.NoSuchAlgorithmException e) { log.debug("The SecureRandom SHA1PRNG algorithm is not available on the current platform.Using the " + "platform's default SecureRandom algorithm.", e); this.random = new java.security.SecureRandom(); } }public Random getRandom() { return this.random; }public void setRandom(Random random) { this.random = random; }/** * Returns the String value of the configured {@link Random}'s {@link Random#nextLong() nextLong()} invocation. * * @param session the {@link Session} instance to which the ID will be applied. * @return the String value of the configured {@link Random}'s {@link Random#nextLong()} invocation. */ public Serializable generateId(Session session) { //ignore the argument - just call the Random: return Long.toString(getRandom().nextLong()); } }

public class JavaUuidSessionIdGenerator implements SessionIdGenerator {/** * Ignores the method argument and simply returns * {@code UUID}.{@link java.util.UUID#randomUUID() randomUUID()}.{@code toString()}. * * @param session the {@link Session} instance to which the ID will be applied. * @return the String value of the JDK's next {@link UUID#randomUUID() randomUUID()}. */ public Serializable generateId(Session session) { return UUID.randomUUID().toString(); } }

/** * 自定义session持久化 * @return */ public RedisSessionDAO redisSessionDAO(){ RedisSessionDAO redisSessionDAO = new RedisSessionDAO(); redisSessionDAO.setRedisManager(getRedisManager()); //设置sessionid生成器 redisSessionDAO.setSessionIdGenerator(new CustomSessionIdGenerator()); return redisSessionDAO; }

【shiro（6）分布式应用鉴权方式之Shiro整合SpringBoot下自定义SessionId】没有100%可靠的算法，暴力破解，穷举
- 限制时间内ip登录错误次数
- 增加图形验证码，不能过于简单，常用的OCR可以识别验证码
建议：微服务里面，特别是对C端用户的应用，不要做过于复杂的权限校验，特别是影响性能这块